Files
falah-mobile/src/middleware.ts
T
pi-agent de48918acf
Deploy Staging / build (push) Failing after 26m15s
security: fix critical webhook direct upgrade path, seed auth, CORS Vary header
- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard)
- Seed route: require ADMIN_SECRET via x-admin-secret header
- Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production
- CORS middleware: add Vary: Origin header for caching correctness
- MOCK_PAYMENTS: add NODE_ENV production guard
- Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
2026-06-28 01:15:45 +08:00

42 lines
1.2 KiB
TypeScript

import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
const ALLOWED_ORIGINS = [
"https://falahos.my",
"https://www.falahos.my",
"http://localhost:3000",
"http://localhost:4013",
"http://localhost:4014",
];
export function middleware(request: NextRequest) {
const origin = request.headers.get("origin") || "";
const isAllowed = !origin || ALLOWED_ORIGINS.includes(origin);
const response = NextResponse.next();
if (origin && isAllowed) {
response.headers.set("Access-Control-Allow-Origin", origin);
response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
response.headers.set("Access-Control-Max-Age", "86400");
response.headers.set("Vary", "Origin");
} else if (origin && !isAllowed) {
response.headers.set("Access-Control-Allow-Origin", "https://falahos.my");
response.headers.set("Vary", "Origin");
}
if (request.method === "OPTIONS") {
return new NextResponse(null, {
status: 204,
headers: response.headers,
});
}
return response;
}
export const config = {
matcher: "/api/:path*",
};